Hacking the water and oil supplies? Expert warns it could happen

A cybersecurity researcher believes that the US is very vulnerable to attacks …

Cybersecurity researcher Aaron Turner recently testified to the House Committee on Homeland Security's Subcommittee on Emerging Threats, and he has published a summary of his testimony at CSO (you can find the original testimony at the DHS site). Turner's testimony covers the threat of Internet-based terrorism to the nation's critical infrastructure (petrochemical, energy, transportation, and water), an area that he's intimately acquainted with through his job at the Department of Energy's Idaho National Laboratory (INL). Judging by the long string of failing grades that our national infrastructure has gotten on its annual cybersecurity evaluations, you'd expect Turner's testimony to be fairly bleak, and indeed it is.

In a nutshell, Turner describes how infrastructure companies have rushed to connect their aging legacy computer systems to the Internet in order to get the kinds of networked efficiencies that other industries have seen from making the online transition. This natural response to competitive pressures has left these critical systems vulnerable to even low-skilled crackers, much like the systems of many banks and other large corporations were vulnerable to the Blaster worm epidemic of 2003.

"The Departments of Energy and Homeland Security have funded 12 separate control system security reviews, during which Idaho National Labs (INL) experts have found that all of the evaluated systems suffer from high-impact security vulnerabilities that could be exploited by a low-skill-level attacker, using techniques that do not require physical access to systems," writes Turner. He goes on to say that these legacy systems can't even be easily secured without possibly breaking them, but he stops short of stating the obvious conclusion that a costly overhaul of these companies' computing systems is needed.

The strongest part of Turner's testimony is when he describes the current critical infrastructure security situation in economic terms, as "imbalanced" and due for a "correction." He argues that right now there's a large mismatch between the high levels of competence, motivation, and organization in the underground cracking community and the low levels of information security at infrastructure sites like refineries, power plants, and water utilities. This mismatch, he suggests, ominously mirrors the mismatch between the capabilities of crackers and the vulnerability of corporate desktops that preceded the 2003 worm epidemic, an epidemic that he describes as an inevitable "correction" that brought about a long-overdue increase in desktop security.

I think that he could've gone a bit further and noted that that the 2003 correction cost the market tens of millions of dollars, but that cost was distributed globally across multiple industries and passed on to hundreds of millions of consumers, easing the burden on any one business or demographic. An infosec "correction" in the area of critical infrastructure may well cost both money and lives, and in many of the attack scenarios, the impact could be dramatically concentrated in a single city or community (e.g., an attack on a water supply) in a way that does lasting damage (e.g., long-term health effects that result in lawsuits and medical costs).

Right now, DHS's recently-announced critical infrastructure security grants are focused entirely on ports and public transit. It's difficult to know how seriously the agency is taking cybersecurity, but given that the current cybersecurity czar has managed to stick with the job for a record-breaking eight months, I'd say that thing are looking up. But looking up from the bottom is still bad, and we have a long ways to go, especially given the threat environment.

Gregory Garcia, the aforementioned new cybersecurity czar, gave a talk at an RSA conference earlier this year in which he summed up the nation's cybersecurity situation as follows:

The evidence shows that attacks on our infrastructure are growing in sophistication and frequency. In FY2006, our cyber security operations center, United States Computer Emergency Readiness Team (US-CERT), received over 23,000 incident reports from public and private sources. We’ve nearly reached that number in just the first quarter of FY07 alone. And those are just the incidents that are reported to us. Some of this increase can likely be attributed to higher awareness levels and reporting rates; however, much of it is due to the growing scale of the threats we face from both domestic and international sources.

His subsequent suggestions for how we should deal with vulnerabilities are hard to argue with: disaster preparedness, increased awareness and vigilance, increased private sector participation in groups and committees dedicated to working on the issue, adherence to best practices, and so on. All of these are good things, but his speech lacked attention to one critical element: money.

If Aaron Turner's testimony is to be believed, the systems that infrastructure companies have connected to the Internet are in dire need of an upgrade before they can be properly secured. That's going to take the kind of cash that we'll probably only spent after some sort of major wake-up call. After all, most companies still see IT as a cost center, and everybody sees security as a cost center. So IT security is like the black hole of cost centers. Given that reality, it's unfortunately quite hard to imagine anyone coughing enough cash for the needed upgrades until something happens to make the threat vividly clear.